[Devel] [PATCH rh7] security: device_cgroup -- Allow manage devices in @pseudosuper state
Cyrill Gorcunov
gorcunov at virtuozzo.com
Thu Jun 16 04:42:48 PDT 2016
When restoring containers with several disks it's more convenient
to mount device first and the setup permissions needed. So for this
sake we allow to escape device permissions testing inside VE only
if @pseudosuper state enabled.
https://jira.sw.ru/browse/PSBM-48421
CC: Vladimir Davydov <vdavydov at virtuozzo.com>
CC: Konstantin Khorenko <khorenko at virtuozzo.com>
CC: Andrey Vagin <avagin at openvz.org>
Signed-off-by: Cyrill Gorcunov <gorcunov at virtuozzo.com>
---
Compile tested only.
security/device_cgroup.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
Index: linux-pcs7.git/security/device_cgroup.c
===================================================================
--- linux-pcs7.git.orig/security/device_cgroup.c
+++ linux-pcs7.git/security/device_cgroup.c
@@ -902,8 +902,24 @@ static int __devcgroup_check_permission(
minor, access);
rcu_read_unlock();
+#ifdef CONFIG_VE
+ /*
+ * When restoring container allow everything in
+ * pseudosuper state. We need this for early
+ * mounting of second ploop device. Still, don't
+ * change behaviour on the ve0.
+ */
+ if (!rc) {
+ struct ve_struct *ve = get_exec_env();
+
+ if (!ve_is_super(ve) && ve->is_pseudosuper)
+ return 0;
+ return -EPERM;
+ }
+#else
if (!rc)
return -EPERM;
+#endif
return 0;
}
More information about the Devel
mailing list